‘Exploiting Freelist on Windows XP Service Pack 2’
‘The information has been provided by Brett Moore.
The original article can be found at: http://www.security-assessment.com/Whitepapers/Exploiting_Freelist_On_XPSP2.zip‘
Windows XP Service pack 2 introduced some new security measures in an attempt to prevent the use of overwritten heap headers to do arbitrary byte writing. This method of exploiting heap overflows, and the protection offered by service pack 2, is widely known and has been well documented in the past. What this paper will attempt to explain is how other functionality of the heap management code can be used to gain execution control after a chunk header has been overwritten. In particular this paper takes a look at exploiting freelist overwrites.
Two new methods of exploitation are explained in this paper. The first allows for the address of user supplied data to be written to a semi arbitrary location. The other allows for a semi arbitrary address to be returned to a HeapAlloc call.
The full paper, along with code samples can be found at: Exploiting Freelist On Windows XP Service Pack 2‘